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Tools for automatic verification 
of a system 


e Which tool to choose? 
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UPPAAL 
e What does UPPAAL serve for? 


e UPPAAL editor, simulator and verifier 


e Declarations in the editor 


Automata in UPPAAL 


e States of the automaton 


e Numeric variables and constants 
* Description of the automaton's transition 
e Channels and synchronisation 


e Clock variables 


Verification in UPPAAL 


e Syntax of the language of formulas 
e Verification of reachability, liveness and safety 
e What is possible? 
e What is not possible? 


Tools for automatic 
verification of a system 


e Which tool to choose? 


Tools for automatic verification of a systen 


Which tool to choose? 


description of the 
tool temporal logic 
system's model 


Kronos language ET-LOTOS CTL (TCTL) 
NuSMV language SMV LTL, CTL, RTCTL 
opin language PROMELA LTL 
UPPAAL graphic CTL (TCTL) 


Verus language Verus E CERTO od PRTC EE 


e What does UPPAAL serve for? 
* UPPAAL editor, simulator and verifier 


e Declarations in the editor 


UPPAAL 


What does UPPAAL serve for? 
Goal: 


modelling and analysis of real-time systems, including 
concurrent programs. 


Possibilities: 


graphic modelling a system as finite state automata, 
using timed automata (automata with clocks), 
graphic simulating possible runs of the automata, 


specifying some properties of the system as CTL formulas 
(temporal operators F and G only, without nesting thereof), 


verifying some properties of the model. 


UPPAAL editor, simulator and verifier 
otep 1. Modelling 


— build a model of a system as an automaton or automata. 


otep 2. Simulating 

— check, step by step, whether the model behaves correctly. 
otep 3. Write properties of the system as logic CTL formulas. 
otep 4. Verifying 


— automatically verify truth of these formulas. 
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UPPAAL editor, simulator and verifier 


Work order in UPPAAL: 


G:/Projekty/Programy/UPPAAL/mutex. xml - UPPAAL 
Fie Edt View Tools Options Help 


G:/Projekty/Programy/UPPAAL/mutex.xml - UPPAAL }) 
File Edt View Tools Options Help 
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Editor || Simulator || verifier | 


t G:IProjekty/Programy/UPPAAL/mutex.xml - UPPAAL L a [x] 


Fie Edk View Tools Options Help 


(Bee [ms - 


[Editor | Simulator | Verifier | 


const in [1,2] me, int{0,1] &req self, int[0, 1] &req other. 


tum := (me == 122: 1) 


req other == 0 


umnz(1221?2:1) 


2)Simulator 


Overview 


[AL] (P1.C8 or P2.CS) 


Query 
AD (P1.CS or P2.CS) 


Comment. 


tablished direct connection to local server. 
(Academic) UPPAAL version 4.0.12 (rev. 4561), July 2010 -- server. 
(PL.SC or P2,5C) 
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(PL.CS or P2.CS) 
established direct connection to local server. 

(Academic) UPPAAL version 4.0.12 (rev. 4561), July 2010 ~ server. 
is not satisfied. 


3) Verifier 
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Declarations in the editor 


e Instances of automata are declared 


in the System declarations. 


e Global variables are declared 
in the upper Declarations. 


* Local variables (for one 
automaton) are declared 


in the Declarations “bellow” 


this automaton's template. 


File Edit View Tools Options H 


‘([Bla| eB) |& | & | | | 
l Editor | Simulator | Verifier 
[5] Project 

TN Declarations 


? S [Template] 


TN Declarations 
[ħ System declarations 
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Automata in UPPAAL 


e States of the automaton 
e Numeric variables and constants 
* Description of the automaton's transition 
e Channels and synchronisation 


e Clock variables 
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otates of the automaton: 


e normal, 


e initial, initial 


e urgent: 


e time of being in it equals zero 
(it is left immediately), 


committed urgent 


e committed: 


e time of being in it equals zero 
(it is left immediately), 


e leaving it has a higher priority than leaving the urgent state. 
If more than one committed state is active, the order of leaving 


them is random. 
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Automata in UPPAAL 


Numeric variables and constants 
Declarations of variables: 
e intname; //an int variable (range from -32768 to 32768) 
e int [0,9] name; an int variable (range from 0 to 9) 
e int name[3] = {1,2,3}; //a table of 3 int variables and their values 
e bool name; //a logic variable 
Declaration of a constant: 
e const intname = 3; /an int constant and its value 
Declaration of a type: 
e typedef int [0,9] name; /a definition of a type int[O,9] 
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Description of the automaton's transition: 


e Select — a selection of a variable's value from a given range, 
e guard — a condition to take the transition, 


e sync — a synchronisation through a channel, 


e update — a change of values of variables and an execution of 
functions. 


i:int[0,9] 
E c! Xis] g 
C? X mem g 
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Channels and synchronisation 


Binary channel 


e Synchronisation between two automata. 
e Lack of a receiver blocks the sender. 
e For many available receivers 1 of them is chosen randomly. 


Declaration of a channel: 


e chan name: È d o 
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Channels and synchronisation 


Binary urgent channel 


e Synchronisation between two automata. 

e Lack of a receiver blocks the sender. 

e For many available receivers 1 of them is chosen randomly. 
e Instant synchronisation (waiting time equals 0). 


e Any guard with clock variables on a transition with the channel 
is forbidden. 


Declaration of a channel: 


* urgent chan name; 
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Channels and synchronisation 


Broadcast channel 


« Synchronisation between one automaton and one or many 
at once. 


e Lack of a receiver does not block the sender. 
« Synchronisation applies to available receivers only. 
Declaration of a channel: 


e broadcast chan name; 
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Clock variables 


Declaration of a clock variable: 


e clock name; 


A clock variable, as a state's invariant, makes the state to be left. 
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Verification in UPPAAL 


e Syntax of the language of formulas 
e Verification of reachability, liveness and safety 
e What is possible? 
e What is not possible? 
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Verification in UPPAAL 


oyntax of the language of formulas 


formula ::= Al expression | 'E<>' expression | 'E[] expression | A<> 
expression | expression --> expression 


expression ::= ID | NAT | expression '[' expression 'T | '(' expression ')' | 
expression rt | '++' expression | expression '--' | '--' expression | 
expression assign expression | unary expression | expression binary 
expression | expression '?' expression ':' expression | expression '.' ID | 
expression '(' arguments ')' | 'forall' '(' ID ':' type ')' expression | 'exists' '(' ID *:' 
type ')' expression | 'deadlock' | 'true' | 'false' 


arguments ::= [ expression ( ',' expression )* ] 


assign I CH | = | dE | r o=! | *_! | | | "om | ‘|= | 'e7 | 'A—! | erm | KE 
unary ::= '+' | | 'T | 'not 

binary Pres nen | <= | l=! | T= | WE | = | LA | d | UY | T | SEN | GA | |J | YA! | lec! | 
WK | '&& | |l | co | P a | or | "and | ‘imply’ 


type — predefined or created type of data 22 


Verification of reachability, liveness and safety 


e Reachability: 
E«» D.s - the state s of the automaton D may be reached, 
A<> D.s — the state s of the automaton D will be reached. 


e Liveness: D.s --> D.z== 


— if the state s of the automaton D is reached, it will result in reaching its 
local variable z == 3, 


in CTL: AG(D.s = AF D.z--3). 
e Safety: 


E[] D.s - the automaton D may be still in the state s, 
A[] D.s — the automaton D is still in the state s. 
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What is possible? 


e to use temporal operators F (as “<>") and G (as '[ T’), 


* to check, whether a given state is/will be active 
and whether a given variable has/will have a declared value, 
e.g.: 
e Al] aut.s imply aut.z >= x 
— certainly always aut.s implies aut.z >= x, 


e E<> aut.s and aut.z >= x 
— possibly finally aut.s and aut.z >= x at once, 


e Al aut.s1 + aut.s2 + aut.s3 <= 1 


— certainly always at most one of the states aut.s1, aut.s1 and aut.s3 
is active. 
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What is possible? 
e to check, whether the system of automata is blocked (the 
deadlock expression), i.e. it is not possible to change any state, 
e.g.: 


E«»deadlock 
— the deadlock may finally be possible, 


All not deadlock 
— the deadlock is never possible, 


e to use quantifiers, e.g. for automata: 


"for all", e.g.: E<> forall (i:range) aut(i).s 
"exists", e.g.: E<> exists (i:xrange) aut(i).s 
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What is not possible? 


e to use other temporal operators than G and F, 


* to nest temporal operators, 
e to use more than one temporal operator in one formula, 
e to use the operator --> together with a temporal operator, 


e to use the operator --» together with the deadlock expression. 
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* A. David et al. "UPPAAL 4.0: Small tutorial", 2009, at: www.uppaal.com 
e "UPPAAL Language Reference”, http://www.uppaal.com/index.php?sida=21 7&rubrik=101 


